Why Risk Management Model Failed Us

failed-risk_management_model

 

Why has Risk Management  failed us?

Every place you see “Accept risks” replace with Hacked computers.  JP Morgan proved this concept even with a seeming unlimited security and IT budget, some mistakes creep into the organization.

76 million accounts affected

Every box with monitor and manage risks replace with Computer hacked from the internal network.

 

Here is the relevant sentence from the Wall Street Journal Article:

{Hackers appear to have originally breached J.P. Morgan’s network via an employee’s personal computer, a person close to the investigation has said. From there, the intruders were able to move further into the bank’s systems. Employees often use software to tap into corporate networks from home through what are known as virtual private networks.}

 

I wonder if your “extensive management crucial” box can defend from an infected or hacked computer in the internal network?

We must ASSUME the hacker is in the network already.

 

In theory we protect the highest risk and highest impact computers but they are not necessarily being protected from the inside and from all threats.

 

Why else have there been so many hacked networks? because not all the computers are being protected as they should, and inevitably somewhere someone makes a mistake and then the hacker is in.

Once the hacker is in your network it has been a fact of life that it takes 220 days to find the breach. In 7 months a hacker can crack the rest of the machines.

We must move to a different risk management Model:

systemsengineeringprocess

 

 

The one where we exchange the “Model the system” with  All the computers one at a time no matter what.

Riskmanagmentsystemsprocess

It is really much simpler than the complex risk management process, and  it is time for us to institute a simpler process, which invites less errors and easier to manage all around.

 

We can also insert things like Test the machine with Nessus or Qualys vulnerability scan every time a change is made in the “re-evaluate” box.

 

 Contact Us to discuss how we can help.

 

 

#Cybersecurity hiring problems?

How can we most efficiently solve a labor shortage in Cybersecurity?  We can’t hire robots(Lely Vector) like in Dairy farms:

lilyvectordairyrobot

Where automation replaced jobs that were not being filled by mostly immigrant labor(80%).

Don’t get me wrong we should automate as much as possible, since that will help with our IT security positions. Definitely use scripting and automated techniques in our vulnerability scanning. But at some point the logs need to be checked or an email sent to investigate a potential problem (this may have done Target breach in)

At some point a human has to receive the alert or review the log that was automatically generated,

There are many articles out that discuss the IT security labor shortage.

Networkworld.com has the story:

http://www.networkworld.com/article/2893653/cisco-subnet/endpoint-security-meets-the-cybersecurity-skills-shortage.html

This story discusses an aspect of IT security which is the endpoint labor shortage, and it is not even the high risk incidents but the following:

When asked to identify their top endpoint security challenges, 38% of enterprise security professionals stated that their organization’s endpoint security staff spends too much time attending to high-priority issues and not enough time on process improvement and strategic planning.

So even in critical fix environments many organizations are not performing the process improvements to handle new attacks.

On Friday our blog post attempted to start a conversation http://oversitesentry.com/improve-cybersecurity-lets-teach-more-infosec/

The  endpoint is only one aspect of IT security though. In an enterprise environment there are multiple departments that require years of experience:

  1. Firewall Operations also network security(including ACL – Access Control Lists)
  2. Endpoint Security Software operations( the infrastructure for endpoint security has its own challenges
  3. Forensics (For endpoint after a loss or breach someone has to clean and review)
  4. Vulnerability Scanning (Scan the network to see what the computers are doing)
  5. Web application scanning( Web applications must be scanned)
  6. Penetration testing(there are some pentests that must be performed for applications)
  7. Security Operations (must have infrastructure support of whatever device manufacturer of the IDS/IPS systems)
  8. Threat intel (this department looks at specific threats coming into the organization)
  9. IT Security Management (there is Directors, Executives and Managers)

 

So the way to fix our labor shortage is to get everyone in IT up to speed  to train our current IT staff and hire more IT staff in general.

If there need to be specialists in networking security or operations then those need to be hired specifically for certain slots.

But what the article is talking about is the major labor shortage in endpoint security, otherwise we get the following messages:

cryptowall2.0message

This message is a cryptowall2.0 message(last year-2014), unfortunately Cryptowall has evolved into a more deadly version.

On Feb 26 the blogpost discussed the difficulties in an enterprise environment http://oversitesentry.com/how-do-we-improve-security/

win2006xpupdate

Cryptolocker3.0 has returned with streamlined dropper:

http://www.v3.co.uk/v3-uk/news/2394598/cryptowall-30-ransomware-returns-with-streamlined-dropper

This is the Cisco Group which discussed the details of Cryptowall3.0: http://blogs.cisco.com/security/talos/cryptowall-3-0

How can we teach more IT security people to understand the methods and how to prevent Cryptowall3.0?

We have to teach the Security basics so that the details can be understood. Most of all we must learn to do this is to do the right thing:

Filotimo – Greek for friend of Honor Youtube video (regarding ΦΙΛΟΤΙΜΟ)

http://youtu.be/DaPF4_-gH4g

 

Contact Us to help you in your IT Security Career direction

http://oversitesentry.com/mentoring-future-it-cybersecurity-ethical-hackers/